Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. All outbound traffic passes through the forward chain, and all inbound traffic passes through the FORWARD chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient.

The LOG target can be used to log packets that hit a rule. Unlike other targets like ACCEPT or DROP, the packet will continue moving through the chain after hitting a LOG target. This means that in order to enable logging for all dropped packets, you would have to add a duplicate LOG rule before each DROP rule. Since this reduces efficiency and makes things less simple, a LOGDROP chain can be created instead.

The limit module should be used to prevent your iptables log from growing too large or causing needless hard drive writes. Without limiting, an attacker could fill your drive (or at least your {{filename|/var}} partition) by causing writes to the iptables log.

This appends a rule to the LOGDROP chain which will log all packets that pass through it. The first 10 packets will the be logged, and from then on only 5 packets per minute will be logged. The "limit burst" is restored by one every time the "limit rate" is not broken.

If you also want iptables to log to a different file than {{filename|/var/log/iptables.log}}, you can simply change the file value of destination d_iptables here (still in {{filename|syslog-ng.conf}})

destination d_iptables { file("/var/log/iptables.log"); };

destination d_iptables { file("/var/log/iptables.log"); };

=== ulogd ===

=== ulogd ===

−

[http://www.netfilter.org/projects/ulogd/index.html ulogd] is a specialized userspace packet logging daemon for netfilter that can replace the default LOG target. An [[AUR]] package can be found [http://aur.archlinux.org/packages.php?ID=22704 here].